ECOWAS Data Protection Act

Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS

Flag of BJFlag of BFFlag of CV+12
ECOWAS member statesOpt-inSupranational
Back to Regulations Guide

Key Facts

Effective Date
February 16, 2010
Enacted
February 16, 2010
Enforcing Authority
National DPAs of member states; ECOWAS Commission oversees harmonization
Consent Model
Opt-in
Applies To
ECOWAS member state governments; indirectly affects all data controllers within member states

Overview

The ECOWAS Supplementary Act is the first binding sub-regional data protection framework in Africa, adopted in 2010 and strongly influenced by the EU Data Protection Directive. About two-thirds of the 15 member states have enacted national implementing legislation. A revised draft was validated in November 2024.

What This Means for Your Website

  • The Act requires member states to enact national data protection laws
  • About two-thirds of ECOWAS states have national implementing legislation
  • National laws rather than the Act directly regulate websites
  • A revision to modernize the framework is underway
  • Member states must establish independent supervisory authorities

Key Requirements

National DPAs enforce implementing legislation while the ECOWAS Commission oversees harmonization. Penalties are deferred to national laws. Processing requires consent or lawful basis. Cross-border transfers are restricted. The revision aims to address the digital landscape evolution since 2010.

How ConsentStack Handles This

ConsentStack applies the consent requirements of each ECOWAS member state's national law rather than the Supplementary Act directly.

Penalties

Deferred to national legislation; act requires member states to establish sanctions.

Key Requirements

  • Member states must adopt national data protection legislation
  • Each state must establish a national DPA
  • Processing requires consent or other lawful basis
  • Cross-border transfers restricted to adequate-protection countries
  • Data subjects have rights of access, rectification, and opposition
  • Sensitive data subject to stricter conditions

Notable Provisions

  • First binding sub-regional DP framework in Africa
  • Revised draft validated November 2024 in Accra
  • About two-thirds of member states have enacted implementing legislation
  • Strongly influenced by EU Directive 95/46/EC

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

What is the ECOWAS Data Protection Act?

The first binding sub-regional data protection framework in Africa, adopted in 2010, requiring member states to enact national data protection laws.

How many ECOWAS states have data protection laws?

About two-thirds of the 15 member states have enacted national implementing legislation.

Is the ECOWAS Act being updated?

Yes. A revised draft was validated by member state experts in November 2024 in Accra, aiming to modernize the 2010 framework.

Stay compliant with ECOWAS Data Protection Act

ConsentStack helps you implement Opt-in consent for ECOWAS member states automatically.

Get started